The storage facility door at Quality Self Storage in Olympia, where WSU researchers had stored a hard drive containing sensitive information for over 1 million people. The hard drive was in a small safe inside a locker that WSU was renting. The locker was broken into and the safe stolen. Joe O’SullivanThe Seattle Times

The storage facility door at Quality Self Storage in Olympia, where WSU researchers had stored a hard drive containing sensitive information for over 1 million people. The hard drive was in a small safe inside a locker that WSU was renting. The locker was broken into and the safe stolen. Joe O’SullivanThe Seattle Times

WSU gets costly lesson in theft of hard drive with more than 1 million people’s personal data

It’s been a very expensive lesson — $150,000 at least — for Washington State University in keeping sensitive computer data from being stolen in a mundane burglary.

The university had a backup hard drive containing confidential information — such as Social Security numbers — for 1,027,079 people.

Where was it stored? In a $126-a-month, 8-by-10 self-storage locker in Olympia, inside a $159, 86-pound safe that you can buy at Home Depot.

The storage facility is a few blocks from the school’s Social and Economic Sciences Research Center. It conducts projects with such teasing titles as, “Higher Education Opportunities in East Jefferson County.”

Help us deliver journalism that makes a difference in our community.

Our journalism takes a lot of time, effort, and hard work to produce. If you read and enjoy our journalism, please consider subscribing today.

The personal information was not used for anything remotely controversial — more like tracking stuff, like the success of job-training programs, according to WSU.

“You use a storage locker for old mattresses and crappy furniture, not personally identifiable information,” said Bryan Seely, a Seattle-based cybersecurity expert. “A lot of people have access to those facilities. Once you’re through the main gate you generally have access to every door in every storage unit.”

As for the safe, which was hauled out of the locker, Seely said, “Now you’re not at the crime scene. You have all the time in the world to crack it open.”

That $150,000 is the deductible on its “breach response” insurance policy with Beazley USA, WSU spokesman Phil Weiler said.

The actual costs will be several hundred thousand dollars higher, which WSU says will be covered by insurance because the policy covers 2 million impacted people.

One million letters were mailed first class. Depending on whether the letters were bar coded and sorted in advance, the postage alone cost between $383,000 and $465,000, according to the Postal Service. One envelope from WSU showed the postage at the higher rate.

Through its insurance policy, WSU is also offering a year of free credit monitoring that costs about $10 a person at the commercial rate.

WSU says that so far, 8,367 people have taken up the offer. So that’s another $80,000-plus, also covered by insurance, according to the school.

Insurance companies aren’t keen on customers that continue such risky behavior, said Chad Thunberg, chief operating officer of Leviathan Security in Seattle. “Expect premiums to go up. They may end up dropping you.”

WSU says it’s going to do a “top-to-bottom” assessment of its computer-security practices “to help prevent this type of incident from happening again.”

The incident hasn’t exactly endeared WSU to individuals who received the letters about the breach of data. The letters referred to some of them as “survey participants.”

“I’m a substitute teacher with the Seattle school district and found one of these letters in my mail. Like most recipients, I was upset and wondered how I had unknowingly been part of a survey that used my personal data … also, being a (University of Washington) Husky, there is NO WAY I would have volunteered to participate in a WSU survey!” Nancy Anderson said..

WSU had to explain the “misunderstanding” about its use of the term “survey.”

It wasn’t about people answering questions from a researcher. “Survey” in this case meant an “evaluation.”

The reason WSU was able to access information like Social Security numbers is because of a federal law called the Family Educational rights and Privacy Act — that’s FERPA.

The law basically allows educational institutions to share “personally identifiable information” to conduct studies on behalf of public agencies. For example, Weiler said, a school district might want to know how many graduating seniors go on to vocational school or college. What better way to track you than with your Social Security number?

Tommy Bell, of Bellingham, still can’t figure out how he got ensnared in this survey. His wife, Elizabeth Pankratz, also received such a letter.

“I went to Western Washington,” he said. “I attended Whatcom Community College. Maybe the schools shared it. I don’t really know.”

Also receiving a WSU letter was Theresa Rozelle, a nurse who three months ago moved from this area to Monterey, California.

She called the toll-free number to sign up for the free credit check, but it turned out that the code given in her letter did not work.

The toll-free number goes to a call center hired by the insurance company.

Rozelle says she bounced around the call center and ended up speaking to a pleasant-sounding woman who said she could help with the free-credit monitoring.

“This is everything I’ve been taught not to do,” she says. “This felt too much like a scam itself.”

Some of those receiving the letters also have questions about the theft at Quality Self Storage in Olympia, which has some 500 units.

“Only one unit was picked on?” wonders Tommy Bell.

The theft was reported about 3 p.m. April 21.

The project manager for the research center went to the unit to exchange backup drives. There were two backups, says WSU’s Phil Weiler, and they were switched out each week.

There are key pads outside sidewalk doors to the storage facility.

A sign states, “Shield the key pad from view and be aware of anyone watching as you enter your access code.”

The police report says the project manager reported “everything appeared normal” when she walked up to the unit inside.

The school had bought its own lock for the slide-up to the unit. It later turned out the lock had been tampered with.

The WSU manager “looked around the small storage unit and realized the safe was completely gone from the unit.”

The police report says the manager was told by the storage facility that they have no cameras, and so no video was available.

Olympia police closed the case: “Clear, leads exhausted.”

But in recent days, Olympia police Lt. Paul Lower said, “Looks like one of our detectives is having another look at this case. Evidently, someone called our detectives about this case and we have a small lead now to follow.”

Patrick Reilly, president of the storage facility, says no other unit was reported broken into that day.

“It’s a very secure facility,” he says. “Somebody apparently knew where to go.”

As to how much the 1 million recipients of the WSU should worry, there is this:

A security company called Navigant was hired to find out what was compromised.

It took Navigant six weeks to work through the hard drive that wasn’t stolen using “brute force attack.” The brute part means using all possible combinations of characters in sequence to open up a file.

Some of the files in the hard drive were encrypted, some password protected.

So, if it took the experts six weeks to untangle the hard drive, what are the odds that some black-hat hackers decided that Unit No. 326 in a storage facility in Olympia was worth it?